CODEWITHSUNDEEP
amazon-web-servicesaws-api-gatewayamazon-iam
berimbolo
berimbolo

Reputation: 3829

AWS API Gateway: User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:

I have created the API Gateway with terraform and I am then attaching API's to it using the serverless framework.

I have created a resource policy based on this AWS tutorial (https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-resource-policy-access/) as I want to be able to use custom API Gateway domains but I do not want my API's accessible by anyone over the internet unless their IP address is in my whitelist.

Here is my rendered policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allow",
            "Effect": "Allow",
            "Principal": "*",
            "Resource": "arn:aws:execute-api:eu-west-1:*:/*/*/*"
        },
        {
            "Sid": "ipwhitelist",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-1:*:/*/*/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                       <<excluded>>
                    ]
                }
            }
        }
    ]
}

I have redeployed my API and now I am blocked regardless of whether my IP address is in the allowed list or not and according to the tutorial this should work.

I have also tested the policy by removing the entire deny section so it only allows all traffic and this is still resulting in my calls being blocked, when I delete the policy and the redeploy my serverless project it works again, so with that being said is there a reason why the allow policy would still block all IP addresses?

I am looking for ideas of where to look to find out why the white list is not working.

Upvotes: 1

Views: 9767

Answers (1)

berimbolo
berimbolo

Reputation: 3829

The answer to this is that I was missing a permission from my allow policy, the explicit allow is required to allow anything that is then excluded by the deny policy but it was missing any actions, I had to ensure the following was present in the terraform that generated the allow part of the policy:

actions = ["execute-api:Invoke"]

This is then translated into the following in the actual IAM policy:

"Action": "execute-api:Invoke"

Upvotes: 2

Related Questions